Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20/08/2024, 04:15
Static task
static1
Behavioral task
behavioral1
Sample
add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe
-
Size
139KB
-
MD5
add333043550c59cf6c79b3c369b9ab4
-
SHA1
c2a9dfd9dda301a4a18042a5e4b114da0df71f9a
-
SHA256
69fc114f6fa4855a4a059f5d137b76c7e589cf2231aeb0fdbdc7e6b187390e91
-
SHA512
c8e82240ca250a4d3065fcf2e17e03f5657ac58ba040498b6cb42f080e1cecd394bd13e05286913e4ccb3e23b70d934f01d3a8addf84f34815cb4d96f5f983b8
-
SSDEEP
3072:zH+Mcv5JXXieDEvy1W7rkD+bnAIhRjaNO:zHl0ndEqgkCAaRGs
Malware Config
Signatures
-
Server Software Component: Terminal Services DLL 1 TTPs 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll" add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll" add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll" add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll" add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll" add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll" add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll" add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll" add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll" add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll" add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll" add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll" add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll" add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll" add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe -
Loads dropped DLL 54 IoCs
pid Process 4696 svchost.exe 4696 svchost.exe 4696 svchost.exe 4736 svchost.exe 4736 svchost.exe 4736 svchost.exe 4736 svchost.exe 4736 svchost.exe 4736 svchost.exe 4716 svchost.exe 4716 svchost.exe 4716 svchost.exe 1648 svchost.exe 1648 svchost.exe 1648 svchost.exe 1648 svchost.exe 1648 svchost.exe 1648 svchost.exe 4592 svchost.exe 4592 svchost.exe 4592 svchost.exe 3252 svchost.exe 3252 svchost.exe 3252 svchost.exe 4416 svchost.exe 4416 svchost.exe 4416 svchost.exe 4844 svchost.exe 4844 svchost.exe 4844 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 4928 svchost.exe 4928 svchost.exe 4928 svchost.exe 4928 svchost.exe 4928 svchost.exe 4928 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 828 svchost.exe 2940 svchost.exe 2940 svchost.exe 2940 svchost.exe 2940 svchost.exe 2940 svchost.exe 2940 svchost.exe -
Drops file in System32 directory 14 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\uploadmgr.dll add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\WmdmPmSp.dll add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Ntmssvc.dll add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Nwsapagent.dll add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Nla.dll add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\SRService.dll add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\PCAudit.dll add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Irmon.dll add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Wmi.dll add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\LogonHours.dll add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\helpsvc.dll add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Ias.dll add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\NWCWorkstation.dll add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4392 add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe 4392 add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\add333043550c59cf6c79b3c369b9ab4_JaffaCakes118.exe"1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4392
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s FastUserSwitchingCompatibility1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4696
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s Irmon1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4736
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nla1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4716
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s Ntmssvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1648
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s NWCWorkstation1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4592
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s Nwsapagent1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3252
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s SRService1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4416
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s WmdmPmSp1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4844
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s LogonHours1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3888
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s PCAudit1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4928
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s helpsvc1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:828
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k netsvcs -s uploadmgr1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2940
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139KB
MD5cc6e0ab6eb79750330ebfdb8d3b76328
SHA14f0eec3ca40b479cc4155a0cb643c5d71383117c
SHA256c07b7e5826817379794168cd0e48613cbd4c0483dc69a90ee8d3ff897ba0e746
SHA512a78b74628b671df8f8e2a1b4ececaab5df89bef378d1088d0dca17eb32e5e166d3f68c50acd6b7b380deeb90b27c06ac709b54e9bf6c38a943b332083d7c8f15